Hello, I'm running fail2ban on my centos machine. It's handling sshd and postfix, and is working quite well. From the reports I'm seeing all the atempts are from a certain registrar's region, I won't name it, and was wondering instead of blocking individual ip's if there was a way I could block with iptables the complete region of ip's. I realize this will cut off a good majority of the world, but this is something i'm still curious about?
With regards blocking ip's and fail2ban, which method is better in terms of system resources, blocking via iptables as in the case of sshd or blocking via hosts.deny as in the case of postfix?
Thanks. Dave.
On Wednesday 11 May 2011 12:58, the following was written:
I'm running fail2ban on my centos machine. It's handling sshd and postfix, and is working quite well. From the reports I'm seeing all the atempts are from a certain registrar's region, I won't name it, and was wondering instead of blocking individual ip's if there was a way I could block with iptables the complete region of ip's. I realize this will cut off a good majority of the world, but this is something i'm still curious about?
iptables -I INPUT -i eth0 -s x.x.x.x/24 -j DROP
Replace the x's with the start of the ip address range you want to block and also make sure you are using the correct bit mask for that range. If the interface is something other then eth0 then you will need to replace that too with the correct interface. The '-I' will place this rule as the very first rule in the chain. If you are using a passthrough box then replace INPUT with FORWARD.
With regards blocking ip's and fail2ban, which method is better in terms of system resources, blocking via iptables as in the case of sshd or blocking via hosts.deny as in the case of postfix?
I don't know the answer to this. I prefer IPTABLES.
Robert Spangler wrote:
On Wednesday 11 May 2011 12:58, the following was written:
the atempts are from a certain registrar's region, I won't name it,
iptables -I INPUT -i eth0 -s x.x.x.x/24 -j DROP
I do not consider /24 subnet a "region subnet". You would need to use something like sophisticated reverse DNS to resolve IP of the connection and that would take time, not to mention problems with false positives and .com, etc. Only way would be if you would know physical locations of respective subnets.
I use denyhosts that regularly pools new offenders IP's from protected systems all around a world. On my 3 servers, in last 5 months, I had only 114 e-mail reports of an ssh attempt. denyhosts uses hosts.deny, and currently I have ~7000 IP's blocked from there that are automatically blocked.
Hello Everyone, Thanks for all your suggestions. I have gone with iptables and blocked off the necessary region ip blocks in my firewall. If anyone is interested i'll send the list. Thanks again. Dave.
On 5/11/11, Ljubomir Ljubojevic office@plnet.rs wrote:
Robert Spangler wrote:
On Wednesday 11 May 2011 12:58, the following was written:
the atempts are from a certain registrar's region, I won't name it,
iptables -I INPUT -i eth0 -s x.x.x.x/24 -j DROP
I do not consider /24 subnet a "region subnet". You would need to use something like sophisticated reverse DNS to resolve IP of the connection and that would take time, not to mention problems with false positives and .com, etc. Only way would be if you would know physical locations of respective subnets.
I use denyhosts that regularly pools new offenders IP's from protected systems all around a world. On my 3 servers, in last 5 months, I had only 114 e-mail reports of an ssh attempt. denyhosts uses hosts.deny, and currently I have ~7000 IP's blocked from there that are automatically blocked. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 5/11/2011 2:08 PM, Robert Spangler wrote:
On Wednesday 11 May 2011 12:58, the following was written:
I'm running fail2ban on my centos machine. It's handling sshd and postfix, and is working quite well. From the reports I'm seeing all the atempts are from a certain registrar's region, I won't name it, and was wondering instead of blocking individual ip's if there was a way I could block with iptables the complete region of ip's. I realize this will cut off a good majority of the world, but this is something i'm still curious about?
iptables -I INPUT -i eth0 -s x.x.x.x/24 -j DROP
Replace the x's with the start of the ip address range you want to block and also make sure you are using the correct bit mask for that range. If the interface is something other then eth0 then you will need to replace that too with the correct interface. The '-I' will place this rule as the very first rule in the chain. If you are using a passthrough box then replace INPUT with FORWARD.
With regards blocking ip's and fail2ban, which method is better in terms of system resources, blocking via iptables as in the case of sshd or blocking via hosts.deny as in the case of postfix?
I don't know the answer to this. I prefer IPTABLES.
More efficient using iptables to stop it before its processed in the case of mail. Also, look at "Spamdyke" as an alternative to stop senders,RDNS or ip blacklisting. Dave
Dne 11.5.2011 18:58, David Mehler napsal(a):
With regards blocking ip's and fail2ban, which method is better in terms of system resources, blocking via iptables as in the case of sshd or blocking via hosts.deny as in the case of postfix?
http://www.fail2ban.org/wiki/index.php/HOWTO_use_geoiplookup DH
-
David Hrbáč -
David Mehler -
David Milholen -
Ljubomir Ljubojevic -
Robert Spangler